Clarke rips Microsoft over security

Former White House adviser alludes to its vulnerabilities

Published 10:00 pm, Wednesday, February 16, 2005

SAN FRANCISCO -- Don't expect Richard Clarke to rely on Microsoft Corp.'s anti-virus or anti-spyware programs to protect his own computer.

"Given their record in the security area, I don't know why anybody would buy from them," the former White House cybersecurity and counterterrorism adviser said yesterday, when asked for his thoughts on Microsoft's forthcoming line of security software.

The observation came during an impromptu interview on the sidelines of the RSA computer security conference in San Francisco, where Clarke took part in panel discussions with other experts in technological and national security.

His take on Microsoft's planned security-software offerings underscores one of the major challenges the Redmond company will face as it proceeds -- the fact that many of the online threats encountered by computer users take advantage of vulnerabilities in the company's own products.

Microsoft has been trying to reduce and fix vulnerabilities as part of a broader companywide initiative to improve security and related issues.

Bill Gates this week also announced plans to supplement those efforts by offering anti-spyware software free to individual Windows users. The company also plans to release an anti-virus product this year and introduce a new version of Internet Explorer this summer -- about a year sooner than expected -- to boost security.

But Clarke, during one panel discussion yesterday, called on Microsoft and other software companies to become more publicly accountable in their efforts to develop secure software. He said he asked Microsoft last year to disclose the specific quality-assurance practices it was following in the pursuit of more-secure software code.

The idea, he said, would be for the software industry to collectively come up with a set of best practices for secure software development. Outside experts would then be able to judge how well each company lives up to those practices.

"There's no fine involved, there's no liability involved, but the marketplace is better informed, and the marketplace works better when it knows what's going on," Clarke said, drawing a round of applause from the crowd at San Francisco's Moscone Center. Panelists compared the concept to the effort to hold public companies to standards for financial reporting under the Sarbanes-Oxley Act.

Asked about the issue afterward, Clarke acknowledged that he doesn't believe Microsoft would ever agree to such a plan.

In a statement responding to Clarke's comments, Microsoft said it has formalized its internal security efforts by adopting an official life cycle that it uses to develop secure software, in addition to publishing books and other materials about the methods it follows. At the same time, the company said it makes its security-related tools available to independent developers, works with other companies on security issues and offers formal training on security.

"The market is demanding security now, and that hard work is going forward already," said Amy Roberts, director of product management in Microsoft's Security Business and Technology Unit, in the statement.

During a panel discussion on technology regulation, Rick White, a former Republican congressman from Washington state, agreed with Clarke that it would be good to establish visible standards by which companies could be judged in the marketplace.

"I think that's a blueprint for something that probably works," said White, now chief executive of technology lobbying organization TechNet. "It's just a question of how far you get the government involved."

But on the subject of government involvement, White and Clarke disagreed, as illustrated by a related discussion of Internet service providers. Clarke said he would want to see government regulation of ISPs to ensure that they offer adequate levels of security to their customers.

But White warned that regulation in general could hinder technological advances.

"We have a great thing going in terms of innovation in this country," he said. "We're leading the world and we need to be able to continue to do that."

Another panelist, security expert Bruce Schneier, said it was important to remember that the underlying goal of software companies is financial, no matter how well intentioned their security efforts.

"Companies are not charities," Schneier said. "They don't do this stuff out of the goodness of their heart. They do it because the marketplace demands it, they do it because liability demands it, they do it because regulation demands it, they do it because competition demands it. Something has to demand it."

Along those lines, he said, "The marketplace will only go so far."

Clarke, who advised four presidents, rose to a new level of prominence last year with charges that President Bush failed to take the terrorist threat seriously prior to the Sept. 11 terrorist attacks. A book by Clarke and his testimony before the 9/11 Commission detailed his efforts to sound the alarm about terrorism. He raised similar themes yesterday, saying that industry and government need to pay greater attention to the risk of cyberterrorism.

"Regulation is neither good nor bad -- it depends upon the industry and the regulation. There is smart regulation. But industry should bear this in mind when they resist any regulation: After we have a major incident, there will be much worse regulation than you could get now."